Support static credentials

Allow for configuring a map of static username/password pairs using the new 'credentials' option.
processone · Aug 1, 2023 · 5be27b5 · 5be27b5
1 parent 1cb584b
commit 5be27b5
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 12 deletions.
diff --git a/src/eturnal.erl b/src/eturnal.erl
@@ -143,7 +143,12 @@ handle_call({get_password, Username}, _From, State) ->
             Password = derive_password(Username, [Secret]),
             {reply, {ok, Password}, State};
         undefined ->
-            {reply, {error, no_secret}, State}
+            try maps:get(Username, get_opt(credentials)) of
+                Password ->
+                    {reply, {ok, Password}, State}
+            catch _:{badkey, _Username} ->
+                    {reply, {error, no_credentials}, State}
+            end
     end;
 handle_call(Request, From, State) ->
     ?LOG_ERROR("Got unexpected request from ~p: ~p", [From, Request]),
@@ -235,7 +240,7 @@ get_password(Username, _Realm) ->
         ExpireTime ->
             case erlang:system_time(second) of
                 Now when Now < ExpireTime ->
-                    ?LOG_DEBUG("Looking up password for: ~ts", [Username]),
+                    ?LOG_DEBUG("Deriving password for: ~ts", [Username]),
                     derive_password(Username, get_opt(secret));
                 Now when Now >= ExpireTime ->
                     case get_opt(strict_expiry) of
@@ -249,8 +254,12 @@ get_password(Username, _Realm) ->
                     end
             end
     catch _:badarg ->
-            ?LOG_INFO("Non-numeric expiration field: ~ts", [Username]),
-            <<>>
+            ?LOG_DEBUG("Looking up password for: ~ts", [Username]),
+            try maps:get(Username, get_opt(credentials))
+            catch _:{badkey, _Username} ->
+                    ?LOG_INFO("Have no password for: ~ts", [Username]),
+                    <<>>
+            end
     end.
 
 %% API: retrieve option value.
@@ -451,7 +460,7 @@ opt_filter(Opt) ->
 
 -spec turn_opts(boolean()) -> proplists:proplist().
 turn_opts(EnableTURN) ->
-    case {EnableTURN, got_secret(), got_relay_addr()} of
+    case {EnableTURN, got_credentials(), got_relay_addr()} of
         {true, true, true} ->
             [{use_turn, true},
              {auth_type, user}];
@@ -509,8 +518,8 @@ turn_enabled() ->
                       EnableTURN =:= true
               end, get_opt(listen)).
 
--spec got_secret() -> boolean().
-got_secret() ->
+-spec got_credentials() -> boolean().
+got_credentials() ->
     case get_opt(secret) of
         Secrets when is_list(Secrets) ->
             lists:all(fun(Secret) ->
@@ -519,7 +528,7 @@ got_secret() ->
         Secret when is_binary(Secret), byte_size(Secret) > 0 ->
             true;
         undefined ->
-            false
+            map_size(get_opt(credentials)) > 0
     end.
 
 -spec got_relay_addr() -> boolean().

diff --git a/src/eturnal_ctl.erl b/src/eturnal_ctl.erl
@@ -63,8 +63,8 @@ get_credentials(Expiry, Suffix) ->
                 {ok, Password} ->
                     Credentials = format_credentials(Username, Password),
                     {ok, unicode:characters_to_list(Credentials)};
-                {error, no_secret} ->
-                    {error, "No shared secret"};
+                {error, no_credentials} ->
+                    {error, "No shared secret and no credentials"};
                 {error, timeout} ->
                     {error, "Querying eturnal timed out"}
             end
@@ -83,8 +83,8 @@ get_password(Username0) ->
                     case call({get_password, Username}) of
                         {ok, Password} ->
                             {ok, unicode:characters_to_list(Password)};
-                        {error, no_secret} ->
-                            {error, "No shared secret"};
+                        {error, no_credentials} ->
+                            {error, "No shared secret and no credentials"};
                         {error, timeout} ->
                             {error, "Querying eturnal timed out"}
                     end;

diff --git a/src/eturnal_yaml.erl b/src/eturnal_yaml.erl
@@ -79,6 +79,7 @@ validator() ->
         blacklist => blacklist_validator(),
         whitelist => list_or_single(ip_mask()),
         strict_expiry => bool(),
+        credentials => map(binary(), binary(), [unique, {return, map}]),
         realm => non_empty(binary()),
         software_name => non_empty(binary()),
         run_dir => directory(write),
@@ -107,6 +108,7 @@ validator() ->
           blacklist => ?DEFAULT_BLACKLIST,
           whitelist => [],
           strict_expiry => false,
+          credentials => #{},
           realm => <<"eturnal.net">>,
           secret => [get_default(secret, make_random_secret())],
           software_name => <<"eturnal">>,